missing A record on DNS Serve

nobody · Oct 27, 2007

I got 2 AD integrated DNS servers. however one A record is missing on DNS1
which is showing up in DNS 2. I need all therecords for this particular zone
to be synced and identical between the two servers and its not the same
right now. Any idea? I already have zone transfers configured between the
two servers, reload both zones and also increments the soa value. its not
working

Meinolf Weber · Oct 27, 2007

Hello NoBoDy,

Please post an ipconfig /all from both machines. Also run dcdiag and netdiag
to check the DC's for errors.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

nobody · Oct 27, 2007

hi

on dc1, netdiag passed all tests but it skipped trust relationship test

on dc2

it gave me an error

Trust relationship test. . . . . . : Failed
[FATAL] Secure channel to domain 'domain' is broken.
[ERROR_NO_TRUST_SAM_A
CCOUNT]

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed
[WARNING] The default SPN registration for 'HOST/dc2.domain.com' is
missing on DC 'dc1.domain.com'.
[WARNING] The default SPN registration for 'HOST/DC2' is missing on
DC 'dc1.domain.com'.

any idea?

Meinolf Weber · Oct 27, 2007

Hello NoBoDy,

Please post an unedited ipconfig /all from both machines.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

hi

on dc1, netdiag passed all tests but it skipped trust relationship
test

on dc2

it gave me an error

Trust relationship test. . . . . . : Failed
[FATAL] Secure channel to domain 'domain' is broken.
[ERROR_NO_TRUST_SAM_A
CCOUNT]

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed
[WARNING] The default SPN registration for 'HOST/dc2.domain.com'
is
missing on DC 'dc1.domain.com'.
[WARNING] The default SPN registration for 'HOST/DC2' is missing
on
DC 'dc1.domain.com'.
any idea?

Hello NoBoDy,

Please post an ipconfig /all from both machines. Also run dcdiag and
netdiag to check the DC's for errors.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.

Click to expand...

nobody · Oct 27, 2007

I think i know what the problem is

here is what is happening.

I originally had 1dc

I made an image of this dc a few days ago

The image is a virtual machine turned off

yesterday I joined dc2 to the domain, configured dns ad integrated and
replication with dc1 (physical computer)

All is fine.

then i turned off the physical dc1

turned on the virtual machine dc1

dc1 does not know there is a dc2 in the domain

right now when i go to dc1 aduc, I cannot see dc2

when i go to dc2 aduc, i can see dc1

what do i do?

Meinolf Weber said:
Hello NoBoDy,

Please post an unedited ipconfig /all from both machines.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.

hi

on dc1, netdiag passed all tests but it skipped trust relationship
test

on dc2

it gave me an error

Trust relationship test. . . . . . : Failed
[FATAL] Secure channel to domain 'domain' is broken.
[ERROR_NO_TRUST_SAM_A
CCOUNT]

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed
[WARNING] The default SPN registration for 'HOST/dc2.domain.com'
is
missing on DC 'dc1.domain.com'.
[WARNING] The default SPN registration for 'HOST/DC2' is missing
on
DC 'dc1.domain.com'.
any idea?

Hello NoBoDy,

Please post an ipconfig /all from both machines. Also run dcdiag and
netdiag to check the DC's for errors.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
I got 2 AD integrated DNS servers. however one A record is missing
on DNS1 which is showing up in DNS 2. I need all therecords for this
particular zone to be synced and identical between the two servers
and its not the same right now. Any idea? I already have zone
transfers configured between the two servers, reload both zones and
also increments the soa value. its not working

Click to expand...

Click to expand...

Meinolf Weber · Oct 27, 2007

Hello NoBoDy,

Answered on your other post. Please do not post the same question in different
NG's. Also post always the COMPLETE information what you have done. How should
we follow you if we don't have the complete info from your problems?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

I think i know what the problem is

here is what is happening.

I originally had 1dc

I made an image of this dc a few days ago

The image is a virtual machine turned off

yesterday I joined dc2 to the domain, configured dns ad integrated and
replication with dc1 (physical computer)

All is fine.

then i turned off the physical dc1

turned on the virtual machine dc1

dc1 does not know there is a dc2 in the domain

right now when i go to dc1 aduc, I cannot see dc2

when i go to dc2 aduc, i can see dc1

what do i do?

Hello NoBoDy,

Please post an unedited ipconfig /all from both machines.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.

hi

on dc1, netdiag passed all tests but it skipped trust relationship
test

on dc2

it gave me an error

Trust relationship test. . . . . . : Failed
[FATAL] Secure channel to domain 'domain' is broken.
[ERROR_NO_TRUST_SAM_A
CCOUNT]
Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed
[WARNING] The default SPN registration for 'HOST/dc2.domain.com'
is
missing on DC 'dc1.domain.com'.
[WARNING] The default SPN registration for 'HOST/DC2' is missing
on
DC 'dc1.domain.com'.
any idea?

Hello NoBoDy,

Please post an ipconfig /all from both machines. Also run dcdiag
and netdiag to check the DC's for errors.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers no rights.
I got 2 AD integrated DNS servers. however one A record is
missing on DNS1 which is showing up in DNS 2. I need all
therecords for this particular zone to be synced and identical
between the two servers and its not the same right now. Any idea?
I already have zone transfers configured between the two servers,
reload both zones and also increments the soa value. its not
working

Click to expand...

Click to expand...

nobody · Oct 28, 2007

i dont mean to top post. I realyl could use some help if possible

Should i run dcpromo /forceremoval from physical dc1?

Meinolf Weber said:
Hello NoBoDy,

Answered on your other post. Please do not post the same question in
different NG's. Also post always the COMPLETE information what you have
done. How should we follow you if we don't have the complete info from
your problems?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.

I think i know what the problem is

here is what is happening.

I originally had 1dc

I made an image of this dc a few days ago

The image is a virtual machine turned off

yesterday I joined dc2 to the domain, configured dns ad integrated and
replication with dc1 (physical computer)

All is fine.

then i turned off the physical dc1

turned on the virtual machine dc1

dc1 does not know there is a dc2 in the domain

right now when i go to dc1 aduc, I cannot see dc2

when i go to dc2 aduc, i can see dc1

what do i do?

Hello NoBoDy,

Please post an unedited ipconfig /all from both machines.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
hi

on dc1, netdiag passed all tests but it skipped trust relationship
test

on dc2

it gave me an error

Trust relationship test. . . . . . : Failed
[FATAL] Secure channel to domain 'domain' is broken.
[ERROR_NO_TRUST_SAM_A
CCOUNT]
Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed
[WARNING] The default SPN registration for 'HOST/dc2.domain.com'
is
missing on DC 'dc1.domain.com'.
[WARNING] The default SPN registration for 'HOST/DC2' is missing
on
DC 'dc1.domain.com'.
any idea?

Hello NoBoDy,

Please post an ipconfig /all from both machines. Also run dcdiag
and netdiag to check the DC's for errors.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers no rights.
I got 2 AD integrated DNS servers. however one A record is
missing on DNS1 which is showing up in DNS 2. I need all
therecords for this particular zone to be synced and identical
between the two servers and its not the same right now. Any idea?
I already have zone transfers configured between the two servers,
reload both zones and also increments the soa value. its not
working

Click to expand...

Click to expand...

Kevin D. Goodknecht Sr. [MVP] · Oct 29, 2007

Read inline please.

In

nobody said:
i dont mean to top post. I realyl could use some help if possible

Should i run dcpromo /forceremoval from physical dc1?

You cannot make an image of a DC and expect other DCs to accept the DC as
part of its domain because the USN won't match what is expected. The imaged
DC will NOT replicate with other DCs.
You will need to do dcpromo /forceremoval on the imaged DC, because the
Physical DC is the only one that will replicate with other DCs in the
domain.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

nobody · Oct 29, 2007

now the physical one wont replicate. i have seized all roles on dc2. tried
to run dcpromo /forceremoval on dc1 but failed

Kevin D. Goodknecht Sr. [MVP] · Oct 30, 2007

Read inline please.

In

nobody said:
now the physical one wont replicate. i have seized all roles on dc2.
tried to run dcpromo /forceremoval on dc1 but failed

Is it pointed to itself for DNS and isolated from the network where DC2
resides?

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

Ace Fekay [MVP] · Oct 31, 2007

Meinolf Weber said:
Hello NoBoDy,

Answered on your other post. Please do not post the same question in
different NG's. Also post always the COMPLETE information what you have
done. How should we follow you if we don't have the complete info from
your problems?

Curious, where else did he post?

Ace

Ace Fekay [MVP] · Oct 31, 2007

nobody said:
now the physical one wont replicate. i have seized all roles on dc2. tried
to run dcpromo /forceremoval on dc1 but failed

Nobody, is this a production domain controller or is this a lab test?

Ace

Meinolf Weber · Oct 31, 2007

Hello Ace Fekay [MVP],

Here you can see also parts of the story

And this question belongs to the postings with subject "Problem" in microsoft.public.windows.server.general
and "Missing A record on DNS serve" in microsoft.windows.public.win2000.dns
and "seized all roles - still cannot run dcprmo" microsoft.public.windows.server.general

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

Ace Fekay [MVP] · Oct 31, 2007

Meinolf Weber said:
Hello Ace Fekay [MVP],

Here you can see also parts of the story

And this question belongs to the postings with subject "Problem" in
microsoft.public.windows.server.general and "Missing A record on DNS
serve" in microsoft.windows.public.win2000.dns and "seized all roles -
still cannot run dcprmo" microsoft.public.windows.server.general

Best regards

Meinolf Weber

Wow, I bet he's putting in alot of energy just to find and read all the
responses. I'll tell you what, it will require me addiditonal energy to help
him out to look for all of them, especially with different subject lines and
probably different names.

Nobody,

If only you had cross-posted to all the groups. All responses would have
gone to all the groups simultaneously and all you would have needed to do is
check one group's responses. This way we all could have collaborated
together to help you.

Ace

nobody · Oct 31, 2007

test

Ace Fekay said:
Nobody, is this a production domain controller or is this a lab test?

Ace

Ace Fekay [MVP] · Oct 31, 2007

nobody said:
test

I guess that's a good thing. It would have been really unfortunate if it
were a prod machine. You have to be careful with Ghosting DCs. As Meinwolf
explained, there is more than meets the eye with AD with the way it works
under the hood.

Ace

Ace Fekay [MVP] · Nov 3, 2007

nobody said:
now the physical one wont replicate. i have seized all roles on dc2. tried
to run dcpromo /forceremoval on dc1 but failed

I must agree with Kevin and everyone else as to not use a Ghosted DC.

Here are 14 steps to manually force remove a DC.

1) On another DC in the domain run NTDSUTIL to move the FSMO's, er seize
them! DOH. (If this is the only DC, then don't worry about it)
2) Make sure DNS is 100% solid on the working DC. (If only one DC, don't
worry about it for now, but configure it correctly before promoting it to a
new DC).
3) Make sure working DC is also a GC. (If just one DC, don't worry about
it).
4) Boot corrupted DC into DSRM, edit the registry change
HKLM\SYSTEM\CCS\Control\ProductOptions change the ProductType value from
LanmanNT to ServerNT. This key dictates if the machine is a DC or just a
server. ServerNT means it's not a DC.
5)Command prompt > net stop ntfrs to stop FRS.
6) Delete the Winnt\Sysvol and NTDS directories.
7) Reboot the now former DC
8) Log into the now member server. Change it to a stand alone, by joining a
workgroup (My Computer Properties, Network ID tab, remove it from the old
domain).
9) Reboot the now stand alone server.
10) If there is only one DC in the domain, skip this step, otherwise, on the
good DC delete the disabled computer account for the old, now defunct DC.
11) Now on this new stand alone machine, set the Primary DNS Suffix to the
new domain name that you want (In My Computer. Properties, Network ID Tab,
Properties, More,). Reboot.
12. Make sure that DNS is configured with the new domain name and updates
set to YES.
13. Run DCPROMO to create a new domain or join the domain/tree/forest again.
14. Reboot.

Ace